From: Xiaoyao Li <xiaoyao.li@intel.com>
To: Paolo Bonzini <pbonzini@redhat.com>,
linux-kernel@vger.kernel.org, kvm@vger.kernel.org
Cc: Jim Mattson <jmattson@redhat.com>
Subject: Re: [PATCH] KVM: x86: avoid incorrect writes to host MSR_IA32_SPEC_CTRL
Date: Fri, 24 Jan 2020 16:00:15 +0800 [thread overview]
Message-ID: <8b960dfe-620b-b649-d377-e5bb1556bb48@intel.com> (raw)
In-Reply-To: <1579614487-44583-3-git-send-email-pbonzini@redhat.com>
On 1/21/2020 9:48 PM, Paolo Bonzini wrote:
> If the guest is configured to have SPEC_CTRL but the host does not
> (which is a nonsensical configuration but these are not explicitly
> forbidden) then a host-initiated MSR write can write vmx->spec_ctrl
> (respectively svm->spec_ctrl) and trigger a #GP when KVM tries to
> restore the host value of the MSR. Add a more comprehensive check
> for valid bits of SPEC_CTRL, covering host CPUID flags and,
> since we are at it and it is more correct that way, guest CPUID
> flags too.
>
> For AMD, remove the unnecessary is_guest_mode check around setting
> the MSR interception bitmap, so that the code looks the same as
> for Intel.
>
> Cc: Jim Mattson <jmattson@redhat.com>
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
> arch/x86/kvm/svm.c | 9 +++------
> arch/x86/kvm/vmx/vmx.c | 7 +++----
> arch/x86/kvm/x86.c | 22 ++++++++++++++++++++++
> arch/x86/kvm/x86.h | 1 +
> 4 files changed, 29 insertions(+), 10 deletions(-)
>
> diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
> index b7c5369c7998..235a7e51de96 100644
> --- a/arch/x86/kvm/svm.c
> +++ b/arch/x86/kvm/svm.c
> @@ -4324,12 +4324,10 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
> !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))
> return 1;
>
> - /* The STIBP bit doesn't fault even if it's not advertised */
> - if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
> + if (data & ~kvm_spec_ctrl_valid_bits(vcpu))
> return 1;
>
> svm->spec_ctrl = data;
> -
> if (!data)
> break;
>
> @@ -4353,13 +4351,12 @@ static int svm_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr)
>
> if (data & ~PRED_CMD_IBPB)
> return 1;
> -
> + if (!boot_cpu_has(X86_FEATURE_AMD_IBPB))
> + return 1;
> if (!data)
> break;
>
> wrmsrl(MSR_IA32_PRED_CMD, PRED_CMD_IBPB);
> - if (is_guest_mode(vcpu))
> - break;
> set_msr_interception(svm->msrpm, MSR_IA32_PRED_CMD, 0, 1);
> break;
> case MSR_AMD64_VIRT_SPEC_CTRL:
> diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
> index bdbf27e92851..112d2314231d 100644
> --- a/arch/x86/kvm/vmx/vmx.c
> +++ b/arch/x86/kvm/vmx/vmx.c
> @@ -1998,12 +1998,10 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
> !guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL))
> return 1;
>
> - /* The STIBP bit doesn't fault even if it's not advertised */
> - if (data & ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD))
> + if (data & ~kvm_spec_ctrl_valid_bits(vcpu))
> return 1;
>
> vmx->spec_ctrl = data;
> -
> if (!data)
> break;
>
> @@ -2037,7 +2035,8 @@ static int vmx_set_msr(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
>
> if (data & ~PRED_CMD_IBPB)
> return 1;
> -
> + if (!boot_cpu_has(X86_FEATURE_SPEC_CTRL))
> + return 1;
> if (!data)
> break;
>
> diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
> index 9f24f5d16854..141fb129c6bf 100644
> --- a/arch/x86/kvm/x86.c
> +++ b/arch/x86/kvm/x86.c
> @@ -10389,6 +10389,28 @@ bool kvm_arch_no_poll(struct kvm_vcpu *vcpu)
> }
> EXPORT_SYMBOL_GPL(kvm_arch_no_poll);
>
> +bool kvm_spec_ctrl_valid_bits(struct kvm_vcpu *vcpu)
The return type should be u64.
> +{
> + uint64_t bits = SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD;
> +
> + /* The STIBP bit doesn't fault even if it's not advertised */
> + if (!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL) &&
> + !guest_cpuid_has(vcpu, X86_FEATURE_AMD_IBRS))
> + bits &= ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP);
> + if (!boot_cpu_has(X86_FEATURE_SPEC_CTRL) &&
> + !boot_cpu_has(X86_FEATURE_AMD_IBRS))
> + bits &= ~(SPEC_CTRL_IBRS | SPEC_CTRL_STIBP);
> +
> + if (!guest_cpuid_has(vcpu, X86_FEATURE_SPEC_CTRL_SSBD) &&
> + !guest_cpuid_has(vcpu, X86_FEATURE_AMD_SSBD))
> + bits &= ~SPEC_CTRL_SSBD;
> + if (!boot_cpu_has(X86_FEATURE_SPEC_CTRL_SSBD) &&
> + !boot_cpu_has(X86_FEATURE_AMD_SSBD))
> + bits &= ~SPEC_CTRL_SSBD;
> +
> + return bits;
> +}
> +EXPORT_SYMBOL_GPL(kvm_spec_ctrl_valid_bits);
>
> EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_exit);
> EXPORT_TRACEPOINT_SYMBOL_GPL(kvm_fast_mmio);
> diff --git a/arch/x86/kvm/x86.h b/arch/x86/kvm/x86.h
> index ab715cee3653..bc38ac695776 100644
> --- a/arch/x86/kvm/x86.h
> +++ b/arch/x86/kvm/x86.h
> @@ -367,5 +367,6 @@ static inline bool kvm_pat_valid(u64 data)
>
> void kvm_load_guest_xsave_state(struct kvm_vcpu *vcpu);
> void kvm_load_host_xsave_state(struct kvm_vcpu *vcpu);
> +bool kvm_spec_ctrl_valid_bits(struct kvm_vcpu *vcpu);
>
> #endif
>
next prev parent reply other threads:[~2020-01-24 8:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-21 13:48 [PATCH] KVM: x86: avoid incorrect writes to host MSR_IA32_SPEC_CTRL Paolo Bonzini
2020-01-24 8:00 ` Xiaoyao Li [this message]
2020-01-24 8:22 ` Paolo Bonzini
2020-01-25 1:32 ` kbuild test robot
2020-02-18 7:11 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8b960dfe-620b-b649-d377-e5bb1556bb48@intel.com \
--to=xiaoyao.li@intel.com \
--cc=jmattson@redhat.com \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pbonzini@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.